Skip to main content
CVE-2025-27389 MEDIUM This Month

A flaw exists in the verification of application installation sources within ColorOS. Under specific conditions, this issue may cause the risk detection mechanism to fail, which could allow malicious applications to be installed without proper warning.

Authentication Bypass
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2016-20023 MEDIUM PATCH This Month

A remote code execution vulnerability in CKSource CKFinder (CVSS 5.0). Remediation should follow standard vulnerability management procedures.

Information Disclosure Ckfinder
NVD
CVSS 3.1
5.0
EPSS
0.1%
CVE-2025-66511 MEDIUM PATCH This Month

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.

Information Disclosure Calendar Nextcloud
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-66270 MEDIUM PATCH This Month

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

Authentication Bypass Google Ubuntu Debian Android +1
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-32898 MEDIUM PATCH This Month

A remote code execution vulnerability (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

Information Disclosure Google Ubuntu Debian Android +1
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-66510 MEDIUM PATCH This Month

A security vulnerability in Nextcloud Server (CVSS 4.5) that allows an authenticated user. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Debian Nextcloud Server Nextcloud
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2025-13682 MEDIUM This Month

The Trail Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-12186 MEDIUM This Month

The Weekly Planner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-12124 MEDIUM This Month

The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-62223 MEDIUM PATCH This Month

User interface (ui) misrepresentation of critical information in Microsoft Edge for iOS allows an unauthorized attacker to perform spoofing over a network.

Microsoft Authentication Bypass Apple Edge Chromium iOS
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-32901 MEDIUM PATCH This Month

In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash.

Google Denial Of Service Ubuntu Android Red Hat +1
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12354 MEDIUM This Month

A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12370 MEDIUM This Month

A security vulnerability in for WordPress is vulnerable to authorization bypass in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12165 MEDIUM This Month

A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12133 MEDIUM This Month

A security vulnerability in EPROLO Dropshipping (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-66552 MEDIUM PATCH This Month

A security vulnerability in Nextcloud Server and Enterprise Server (CVSS 4.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Debian Nextcloud Server Nextcloud
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-32899 MEDIUM PATCH This Month

A security vulnerability in KDE Connect (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure Google Ubuntu Android Red Hat +1
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-66547 MEDIUM PATCH This Month

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.

Authentication Bypass Debian Nextcloud Server Nextcloud
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-66553 MEDIUM PATCH This Month

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4.

Authentication Bypass Tables Nextcloud
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12130 MEDIUM This Month

The WC Vendors - WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint. This makes it possible for unauthenticated attackers to delete vendor products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12373 MEDIUM This Month

The Torod - The smart shipping and delivery portal for e-shops and retailers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the save_settings function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12128 MEDIUM This Month

The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-10055 MEDIUM This Month

The Time Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on several endpoints. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-11759 MEDIUM This Month

The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-66513 MEDIUM PATCH This Month

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1.

Authentication Bypass Tables Nextcloud
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13684 MEDIUM This Month

The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the ark_rp_options_page function. This makes it possible for unauthenticated attackers to modify the plugin's configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13360 MEDIUM This Month

The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13144 MEDIUM This Month

The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu_settings function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12190 MEDIUM This Month

The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopby_ajax_optimize_gallery() function. This makes it possible for unauthenticated attackers to trigger bulk optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13362 MEDIUM This Month

The Norby AI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-32900 MEDIUM PATCH This Month

A security vulnerability in the KDE Connect information-exchange protocol (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Microsoft Information Disclosure Google Ubuntu Debian +2
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-8148 MEDIUM PATCH This Month

An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.

Information Disclosure Goanywhere Managed File Transfer
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-66629 LOW PATCH Monitor

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc's OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don't send a state parameter and verify the response using this parameter. This vulnerability is fixed in 1.10.4.

CSRF Google Gitlab
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-66545 LOW PATCH Monitor

A security vulnerability in a group or team. (CVSS 3.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Nextcloud
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-66514 LOW PATCH Monitor

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.

XSS Nextcloud
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-66556 LOW PATCH Monitor

Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.

Authentication Bypass Nextcloud
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-66548 LOW PATCH Monitor

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.

Information Disclosure Nextcloud
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-66546 LOW PATCH Monitor

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.

Authentication Bypass Nextcloud
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-66558 LOW PATCH Monitor

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.

Authentication Bypass Nextcloud
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-66515 LOW PATCH Monitor

The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.

Authentication Bypass Nextcloud
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-66549 LOW PATCH Monitor

Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.

Information Disclosure Ubuntu Debian Nextcloud
NVD GitHub
CVSS 3.1
2.4
EPSS
0.0%
CVE-2025-14089 LOW Monitor

A security vulnerability in Himool ERP (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14088 LOW Monitor

A security vulnerability in ketr JEPaaS (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14105 LOW Monitor

A vulnerability was determined in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. This impacts an unknown function of the file /reqproc/proc_post of the component Web Interface. Executing manipulation of the argument goformId with the input REBOOT_DEVICE can lead to denial of service. The attack can only be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Denial Of Service
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-14116 LOW Monitor

A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument health_url results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The patch is named 0ff771dc1933d5a6b78f804115e78a7d8625c3f3. To fix this issue, it is recommended to deploy a patch. The vendor responded with a vulnerability confirmation and a list of security measures they have established already (e.g. disabled URL parsing, disabled URL upload mode, removed URL-to-markdown conversion).

SSRF
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-66544 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-66543 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-66542 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-66541 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-66540 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy